Skip to content

Commit

Permalink
Only sanitize on windows
Browse files Browse the repository at this point in the history
  • Loading branch information
benibenj committed May 2, 2024
1 parent 9e06c04 commit b1bde5a
Showing 1 changed file with 11 additions and 8 deletions.
19 changes: 11 additions & 8 deletions src/package.ts
Original file line number Diff line number Diff line change
Expand Up @@ -395,30 +395,33 @@ export async function versionBump(options: IVersionBumpOptions): Promise<void> {
}
}


// call `npm version` to do our dirty work
const args = ['version', options.version];

if (options.commitMessage) {
// Sanitize commit message due to possible shell injection on windows
const sanitizedCommitMessage = sanitizeCommitMessage(options.commitMessage);
if (sanitizedCommitMessage) {
args.push('-m', sanitizedCommitMessage);
}
const isWindows = process.platform === 'win32';

const commitMessage = isWindows ? sanitizeCommitMessage(options.commitMessage) : options.commitMessage;
if (commitMessage) {
args.push('-m', commitMessage);
}

if (!(options.gitTagVersion ?? true)) {
args.push('--no-git-tag-version');
}

const isWindows = process.platform === 'win32';
const { stdout, stderr } = await promisify(cp.execFile)(isWindows ? 'npm.cmd' : 'npm', args, { cwd, shell: isWindows /* https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2 */ });
if (!process.env['VSCE_TESTS']) {
process.stdout.write(stdout);
process.stderr.write(stderr);
}
}

function sanitizeCommitMessage(message: string): string | undefined {
function sanitizeCommitMessage(message?: string): string | undefined {
if (!message) {
return undefined;
}

// Allow alphanumeric, space, common punctuation, newline characters.
// Specifically check for characters that might escape quotes or introduce shell commands.
// Newlines are allowed, but backslashes (other than for newlines), backticks, and dollar signs are still checked.
Expand Down

0 comments on commit b1bde5a

Please sign in to comment.